Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-18311: How to mount a CIFS share from Linux using Kerberos

Authentication Service ,  

3 August,19 at 04:34 PM

Question:

There is a need to mount a CIFS share.  Due to security restriction, leaving clear text passwords in the servers are not permitted. How can a CIFS share be mounted using Kerberos?

Answer:
  

1.  A time skew greater than five minutes, between the Linux system and the Domain Controller or improper DNS configuration will cause this procedure to fail.  Ensure that the DNS and time on the server computer are configured accordingly.  If there is no internal NTP system on the server, using the Domain Controller as the NTP server for the Linux system is recommended.

2. In the directory
/etc/request-key.d, create the file cifs.spnego.conf if it does not already exist. Then add the following line

create     cifs.spnego     * * /usr/sbin/cifs.upcall %k

3. In the directory /etc/request-key.d, create the file dns_resolver.conf if it does not already exist. Then add the following line 

create  dns_resolver   * * /usr/sbin/cifs.upcall %k

4. Confirm a kerberos credential exists with command /usr/share/centrifydc/kerberos/bin/klist.  The output here shows a valid Kerberos credential

csssup-suse12:/etc/request-key.d # /usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: csssup-suse12$@RESOURCE.CENTRIFY.LAB

Valid starting     Expires            Service principal
07/31/19 15:33:35  08/01/19 01:33:35  krbtgt/RESOURCE.CENTRIFY.LAB@RESOURCE.CENTRIFY.LAB
        renew until 08/01/19 15:33:36


5. Mount the directory

mount -t cifs -o sec=krb5 //<winserverFQDN>/<shareDrive>  /<mountPoint>

Note:
1) It is important that the CIFS server in Active Directory, have a 'cifs/<serverFQDN>' serviceprincipalname (SPN) in the server attributes.
2) For setting up Kerberos SSO using keytab file, please read the knowledge base article KB-9939
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.